remove old pimeyes.com IPs from erlking ipset

revert revert 883043f110

revert revert to new config

README.md

@@ -1,4 +1,5 @@
 ansible-playbooks
 =================
 
-Repo for my  Ansible playbooks
+Repo for my  Ansible playbooks.
+nextgen branch is for Ubuntu 18.04 systems only as that is what I am standardizing on.

centos/roles/icinga-client/files/restart.conf

@@ -0,0 +1,2 @@
+[Service]
+Restart=on-failure

centos/roles/icinga-client/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+# This role installs Icinga 2 and the plugins required on a Icinga client nodes
+
+- name: Make sure EPEL repository is enabled
+  yum:
+    name: epel-release
+    state: latest
+- name: Add Icinga2 repository key
+  rpm_key:
+    state: present
+    key: https://packages.icinga.com/icinga.key
+- name: Install Icinga2 repository
+  yum:
+    name: https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm
+    state: latest
+- name: Install Icinga2 packages
+  yum:
+    name: "{{ packages }}"
+  vars:
+    packages:
+      - icinga2
+      - nagios-plugins-all
+- name: Ensure icinga2 systemd folder exists
+  file:
+    path: /etc/systemd/system/icinga2.service.d/
+    state: directory
+- name: Copy custom icinga2 systemd service file modifications
+  copy:
+    src: restart.conf
+    dest: /etc/systemd/system/icinga2.service.d/restart.conf
+- name: Ensure that icinga2 systemd service is enabled
+  systemd:
+    name: icinga2
+    enabled: yes
+    daemon_reload: yes

centos/site.yml

@@ -0,0 +1,6 @@
+- name: install Icinga 2 for client usage
+  hosts: icinga-clients
+  user: root
+
+  roles:
+    - icinga-client

debian/roles/appservers-php/files/www.conf

@@ -1,392 +0,0 @@
-; Start a new pool named 'www'.
-; the variable $pool can we used in any directive and will be replaced by the
-; pool name ('www' here)
-[www]
-
-; Per pool prefix
-; It only applies on the following directives:
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-;prefix = /path/to/pools/$pool
-
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = www-data
-group = www-data
-
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses on a
-;                            specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = 127.0.0.1:9000
-
-; Set listen(2) backlog. A value of '-1' means unlimited.
-; Default Value: 128 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = -1
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions. 
-; Default Values: user and group are set as the running user
-;                 mode is set to 0666
-;listen.owner = www-data
-;listen.group = www-data
-;listen.mode = 0666
- 
-; List of ipv4 addresses of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
-listen.allowed_clients = 127.0.0.1
-
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool processes will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; priority = -19
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives. With this process management, there will be
-;             always at least 1 children.
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-;  ondemand - no children are created at startup. Children will be forked when
-;             new requests will connect. The following parameter are used:
-;             pm.max_children           - the maximum number of children that
-;                                         can be alive at the same time.
-;             pm.process_idle_timeout   - The number of seconds after which
-;                                         an idle process will be killed.
-; Note: This value is mandatory.
-pm = dynamic
-
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI. The below defaults are based on a server without much resources. Don't
-; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
-pm.max_children = 5
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 2
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
-
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
- 
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-;pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-;   pool                 - the name of the pool;
-;   process manager      - static, dynamic or ondemand;
-;   start time           - the date and time FPM has started;
-;   start since          - number of seconds since FPM has started;
-;   accepted conn        - the number of request accepted by the pool;
-;   listen queue         - the number of request in the queue of pending
-;                          connections (see backlog in listen(2));
-;   max listen queue     - the maximum number of requests in the queue
-;                          of pending connections since FPM has started;
-;   listen queue len     - the size of the socket queue of pending connections;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes;
-;   max active processes - the maximum number of active processes since FPM
-;                          has started;
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-;   pool:                 www
-;   process manager:      static
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          62636
-;   accepted conn:        190460
-;   listen queue:         0
-;   max listen queue:     1
-;   listen queue len:     42
-;   idle processes:       4
-;   active processes:     11
-;   total processes:      15
-;   max active processes: 12
-;   max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-;   http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example: 
-;   http://www.foo.bar/status?full
-;   http://www.foo.bar/status?json&full
-;   http://www.foo.bar/status?html&full
-;   http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-;   pid                  - the PID of the process;
-;   state                - the state of the process (Idle, Running, ...);
-;   start time           - the date and time the process has started;
-;   start since          - the number of seconds since the process has started;
-;   requests             - the number of requests the process has served;
-;   request duration     - the duration in µs of the requests;
-;   request method       - the request method (GET, POST, ...);
-;   request URI          - the request URI with the query string;
-;   content length       - the content length of the request (only with POST);
-;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
-;   script               - the main script called (or '-' if not set);
-;   last request cpu     - the %cpu the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because CPU calculation is done when the request
-;                          processing has terminated;
-;   last request memory  - the max amount of memory the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because memory calculation is done when the request
-;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-;   ************************
-;   pid:                  31330
-;   state:                Running
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          63087
-;   requests:             12808
-;   request duration:     1250261
-;   request method:       GET
-;   request URI:          /test_mem.php?N=10000
-;   content length:       0
-;   user:                 -
-;   script:               /home/fat/web/docs/php/test_mem.php
-;   last request cpu:     0.00
-;   last request memory:  0
-;
-; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: ${prefix}/share/fpm/status.html
-;
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set 
-;pm.status_path = /status
- 
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;ping.path = /ping
-
-; This directive may be used to customize the response of a ping request. The
-; response is formatted as text/plain with a 200 response code.
-; Default Value: pong
-;ping.response = pong
-
-; The access log file
-; Default: not set
-;access.log = /var/log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-;  %%: the '%' character
-;  %C: %CPU used by the request
-;      it can accept the following format:
-;      - %{user}C for user CPU only
-;      - %{system}C for system CPU only
-;      - %{total}C  for user + system CPU (default)
-;  %d: time taken to serve the request
-;      it can accept the following format:
-;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
-;      - %{microseconds}d
-;      - %{micro}d
-;  %e: an environment variable (same as $_ENV or $_SERVER)
-;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
-;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-;  %f: script filename
-;  %l: content-length of the request (for POST request only)
-;  %m: request method
-;  %M: peak of memory allocated by PHP
-;      it can accept the following format:
-;      - %{bytes}M (default)
-;      - %{kilobytes}M
-;      - %{kilo}M
-;      - %{megabytes}M
-;      - %{mega}M
-;  %n: pool name
-;  %o: ouput header
-;      it must be associated with embraces to specify the name of the header:
-;      - %{Content-Type}o
-;      - %{X-Powered-By}o
-;      - %{Transfert-Encoding}o
-;      - ....
-;  %p: PID of the child that serviced the request
-;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string 
-;  %Q: the '?' character if query string exists
-;  %r: the request URI (without the query string, see %q and %Q)
-;  %R: remote IP address
-;  %s: status (response code)
-;  %t: server time the request was received
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %T: time the log has been written (the request has finished)
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
- 
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-slowlog = /var/log/$pool.log.slow
- 
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_slowlog_timeout = 0
- 
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_terminate_timeout = 0
- 
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-;rlimit_files = 1024
- 
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
- 
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever 
-;       possible. However, all PHP paths will be relative to the chroot
-;       (error_log, sessions.save_path, ...).
-; Default Value: not set
-;chroot = 
- 
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-chdir = /
- 
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-;catch_workers_output = yes
-
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; exectute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5
- 
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'. 
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-;                specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M

debian/roles/appservers-php/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: start php5-fpm
-  service: name=php5-fpm state=started

debian/roles/appservers-php/tasks/main.yml

@@ -1,9 +0,0 @@
----
-- name: Install php5-fpm
-  apt: pkg=php5-fpm state=latest
-- name: Stop the php5-fpm daemon for now and ensure it starts on boot
-  service: name=php5-fpm state=stopped enabled=yes
-- name: Copy over the php5-fpm www pool config
-  copy: src=www.conf dest=/etc/php5/fpm/pool.d/www.conf backup=yes
-  notify:
-  - start php5-fpm

debian/roles/appservers-uwsgi/files/uwsgi.init

@@ -1,72 +0,0 @@
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides:          uwsgi
-# Required-Start:    $all
-# Required-Stop:     $all
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: starts the uwsgi app server
-# Description:       starts uwsgi app server using start-stop-daemon
-### END INIT INFO
-
-PATH=/opt/uwsgi:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/local/bin/uwsgi
-
-OWNER=uwsgi
-
-NAME=uwsgi
-DESC=uwsgi
-
-test -x $DAEMON || exit 0
-
-# Include uwsgi defaults if available
-if [ -f /etc/default/uwsgi ] ; then
-        . /etc/default/uwsgi
-fi
-
-set -e
-
-#DAEMON_OPTS="-s 127.0.0.1:9001 -M 4 -t 30 -A 4 -p 4 -d /var/log/uwsgi.log --pythonpath $PYTHONPATH --module $MODULE"
-DAEMON_OPTS="--emperor /etc/uwsgi/apps -d /var/log/uwsgi.log"
-case "$1" in
-  start)
-        echo -n "Starting $DESC: "
-        start-stop-daemon --start --chuid $OWNER:$OWNER --user $OWNER \
-                --exec $DAEMON -- $DAEMON_OPTS
-        echo "$NAME."
-        ;;
-  stop)
-        echo -n "Stopping $DESC: "
-        start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \
-                --exec $DAEMON
-        echo "$NAME."
-        ;;
-  reload)
-        killall -1 $DAEMON
-        ;;
-  force-reload)
-        killall -15 $DAEMON
-       ;;
-  restart)
-        echo -n "Restarting $DESC: "
-        start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \
-                --exec $DAEMON
-        sleep 1
-        start-stop-daemon --user $OWNER --start --quiet --chuid $OWNER:$OWNER \
-               --exec $DAEMON -- $DAEMON_OPTS
-        echo "$NAME."
-        ;;
-  status)  
-        killall -10 $DAEMON
-        ;;
-      *)  
-            N=/etc/init.d/$NAME
-            echo "Usage: $N {start|stop|restart|reload|force-reload|status}" >&2
-            exit 1
-            ;;
-    esac
-    exit 0
-
-
-

debian/roles/appservers-uwsgi/files/uwsgi.logrotate

@@ -1,9 +0,0 @@
-"/var/log/uwsgi/*.log" "/var/log/uwsgi/*/*.log" {
-  copytruncate
-  daily
-  rotate 5
-  compress
-  delaycompress
-  missingok
-  notifempty
-}

debian/roles/appservers-uwsgi/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: start uwsgi
-  service: name=uwsgi state=started

debian/roles/appservers-uwsgi/tasks/main.yml

@@ -1,24 +0,0 @@
----
-- name: Install virtualenv
-  apt: name=python-virtualenv state=latest
-- name: Install uwsgi from PyPI
-  pip: name=uWSGI
-- name: Add uwsgi group
-  group: name=uwsgi state=present
-- name: Add uwsgi user
-  user: name=uwsgi shell=/sbin/nologin createhome=no group=uwsgi password=$6$Qu5GfWUlAPXh$Ie8Fd9Vzl.PpaFciUbRCI4sIryI6i0rDE29Vf86/WYHgPSWG7x9IIkVU.tG1Mtfq2OM9IeH2IuvOKCcnErMgC1
-- name: Copy over the uwsgi init script and logrotate config
-  copy: src={{ item.name }} dest={{ item.dir }} backup=yes
-  with_items:
-     - { name: 'uwsgi.init', dir: '/etc/init.d/uwsgi' }
-     - { name: 'uwsgi.logrotate', dir: '/etc/logrotate.d/uwsgi' }
-- name: Make sure the init script is executable
-  file: path=/etc/init.d/uwsgi owner=root group=root mode=0755
-- name: Make configuration directory
-  file: path=/etc/uwsgi/apps state=directory
-- name: Make log file with correct permissions
-  file: path=/var/log/uwsgi.log owner=uwsgi group=uwsgi mode=0750 state=touch
-- name: Make sure uwsgi starts on boot
-  service: name=uwsgi enabled=yes
-  notify:
-  - start uwsgi

debian/roles/common/files/resolv.conf

@@ -1,2 +0,0 @@
-nameserver ::1
-nameserver 8.8.8.8

debian/roles/common/handlers/main.yml

@@ -1,6 +0,0 @@
----
-- name: restart rsyslog
-  service: name=rsyslog state=restarted
-- name: restart cron
-  service: name=cron state=restarted
-

debian/roles/common/tasks/main.yml

@@ -1,59 +0,0 @@
----
-# This playbook contains common plays that will be run all nodes.
-
-- name: Install python-apt, aptitude, and debconf-utils
-  shell: apt-get update && apt-get -y install python-apt aptitude debconf-utils
-- name: Do any package upgrades
-  apt: upgrade=dist
-- name: Set default locale to en_US.UTF-8
-  debconf: name=locales question='locales/default_environment_locale' value=en_US.UTF-8 vtype='select'
-- name: Generate locales
-  debconf: name=locales question='locales/locales_to_be_generated'  value='en_US.UTF-8 UTF-8' vtype='multiselect'
-- name: Set timezone area
-  debconf: name=tzdata question='tzdata/Areas' value='Etc' vtype='select'
-- name: Set timezone
-  debconf: name=tzdata question='tzdata/Zones/Etc' value='UTC' vtype='select'
-  notify:
-  - restart rsyslog
-  - restart cron
-- name: Install required packages
-  apt: pkg={{ item }} state=latest
-  with_items:
-     - most
-     - zsh
-     - vim
-     - vim-scripts
-     - git
-     - subversion
-     - tmux
-     - multitail
-     - mtr-tiny
-     - curl
-     - dnsutils
-     - sudo
-     - gnupg
-     - traceroute
-     - htop
-     - haveged
-     - python-pip
-     - unbound
-     - duplicity
-     - python-boto
-     - build-essential
-     - vnstat
-     - python-dev
-     - ntp
-- name: Remove exim4 and consolekit
-  apt: pkg={{ item }} state=absent
-  with_items:
-     - exim4-daemon-light
-     - consolekit
-- name: Ensure haveged, unbound, ntp, and vnstat are started on boot
-  service: name={{ item }} enabled=yes
-  with_items:
-     - haveged
-     - unbound
-     - vnstat
-     - ntp
-- name: use local unbound instance for DNS and Google Public DNS as backup
-  copy: src=resolv.conf dest=/etc/resolv.conf

debian/roles/webservers-nginx/files/0-catch-all

@@ -1,12 +0,0 @@
-# This file is a nginx catch-all vhost, probably put here in an automated
-# fashion.
-server {
-    listen 80;
-    listen [::]:80 ipv6only=on;
-    server_name _; # This is just an invalid value which will never trigger on a real hostname.
-    access_log /var/log/nginx/default.access.log;
-    index index.html;
-    server_name_in_redirect off;
-    root  /srv/www/catch-all;
-}
-

debian/roles/webservers-nginx/files/cloudflare.conf

@@ -1,11 +0,0 @@
-# Cloudflare
-set_real_ip_from   204.93.240.0/24;
-set_real_ip_from   204.93.177.0/24;
-set_real_ip_from   199.27.128.0/21;
-set_real_ip_from   173.245.48.0/20;
-set_real_ip_from   103.22.200.0/22;
-set_real_ip_from   141.101.64.0/18;
-set_real_ip_from   108.162.192.0/18;
-set_real_ip_from   190.93.240.0/20;
-real_ip_header     CF-Connecting-IP;
-

debian/roles/webservers-nginx/files/nginx.conf

@@ -1,63 +0,0 @@
-user www-data;
-worker_processes auto;
-pid /var/run/nginx.pid;
-
-events {
-	worker_connections 768;
-	# multi_accept on;
-}
-
-http {
-	##
-	# Basic Settings
-	##
-    sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 70;
-	types_hash_max_size 2048;
-	server_tokens off;
-    ssl_session_cache  shared:SSL:10m;
-    ssl_session_timeout 10m;
-	# server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-	##
-	# Gzip Settings
-	##
-
-	gzip on;
-	gzip_disable "msie6";
-
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-	##
-	# Virtual Host Configs
-	##
-
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
-
-	# Upstream to abstract backend connection(s) for PHP.
-	upstream php {
-#		server unix:/tmp/php-fpm.sock;
-		server 127.0.0.1:9000;
-	}
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-}

debian/roles/webservers-nginx/files/php-generic.conf

@@ -1,14 +0,0 @@
-index index.php index.html index.htm;
-location / {
-    try_files $uri $uri/ /index.php?$args;
-}
-
-location ~ \.php$ {
-    try_files $uri =404;
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    include fastcgi_params;
-    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-    fastcgi_pass php;
-    fastcgi_index index.php;
-}
-

debian/roles/webservers-nginx/files/security-generic.conf

@@ -1,23 +0,0 @@
-location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-}
-
-location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-}
-
-# Directives to send expires headers and turn off 404 error logging.
-location ~* \.(js|css|png|jpg|jpeg|gif|ico|html)$ {
-        expires 24h;
-}
-
-# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
-location ~ /\. {
-        deny all;
-        access_log off;
-        log_not_found off;
-}
-

debian/roles/webservers-nginx/files/wordpress-generic.conf

@@ -1,39 +0,0 @@
-# WordPress single blog rules.
-# Designed to be included in any server {} block.
-
-# This order might seem weird - this is attempted to match last if rules below fail.
-# http://wiki.nginx.org/HttpCoreModule
-location / {
-        try_files $uri $uri/ /index.php?$args;
-}
-
-# Add trailing slash to */wp-admin requests.
-rewrite /wp-admin$ $scheme://$host$uri/ permanent;
-
-# Directives to send expires headers and turn off 404 error logging.
-location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-        expires 24h;
-}
-
-# Uncomment one of the lines below for the appropriate caching plugin (if used).
-#include global/wordpress-supercache.conf;
-#include global/wordpress-w3cache.conf;
-
-# Pass all .php files onto a php-fpm/php-fcgi server.
-location ~ \.php$ {
-        # Zero-day exploit defense.
-        # http://forum.nginx.org/read.php?2,88845,page=3
-        # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
-        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine.  And then cross your fingers that you won't get hacked.
-        try_files $uri =404;
-
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
-
-        include fastcgi_params;
-        fastcgi_index index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-#       fastcgi_intercept_errors on;
-        fastcgi_pass php;
-}
-

debian/roles/webservers-nginx/files/wordpress-security.conf

@@ -1,34 +0,0 @@
-# Global restrictions configuration file.
-# Designed to be included in any server {} block.</p>
-location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-}
-
-location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-}
-
-# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
-location ~ /\. {
-        deny all;
-        access_log off;
-        log_not_found off;
-}
-
-# Deny access to any files with a .php extension in the uploads directory
-location ~* ^/wp-content/uploads/.*.php$ {
-        deny all;
-        access_log off;
-        log_not_found off;
-}
-
-# Deny access to any files with a .php extension in the uploads directory for multisite
-location ~* /files/(.*).php$ {
-        deny all;
-        access_log off;
-        log_not_found off;
-}
-

debian/roles/webservers-nginx/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: start nginx
-  service: name=nginx state=started

debian/roles/webservers-nginx/tasks/main.yml

@@ -1,35 +0,0 @@
----
-- name: Add nginx upstream repo key
-  apt_key: url=http://nginx.org/keys/nginx_signing.key state=present
-- name: Add nginx upstream repository
-  apt_repository: repo='deb http://nginx.org/packages/debian/ wheezy nginx' state=present update_cache=yes
-- name: Install nginx package
-  apt: pkg=nginx state=latest
-- name: Stop nginx for now and also make it start on boot
-  service: name=nginx state=stopped enabled=yes
-- name: Make nginx related dirs
-  file: path={{ item }} state=directory
-  with_items:
-     - /etc/nginx/global
-     - /etc/nginx/sites-available
-     - /etc/nginx/sites-enabled
-     - /srv/www/catch-all
-- name: Clean out default vhost file in enabled and available dirs
-  file: path={{ item }} state=absent
-  with_items:
-     - /etc/nginx/sites-enabled/default
-     - /etc/nginx/sites-available/default
-- name: Copy over all nginx configuration files
-  copy: src={{ item.name }}  dest={{ item.dir }}
-  with_items:
-     - { name: 'nginx.conf', dir: '/etc/nginx/nginx.conf' }
-     - { name: '0-catch-all', dir: '/etc/nginx/sites-available/0-catch-all' }
-     - { name: 'cloudflare.conf', dir: '/etc/nginx/global/cloudflare.conf' }
-     - { name: 'php-generic.conf', dir: '/etc/nginx/global/php-generic.conf' }
-     - { name: 'security-generic.conf', dir: '/etc/nginx/global/security-generic.conf' }
-     - { name: 'wordpress-generic.conf', dir: '/etc/nginx/global/wordpress-generic.conf' }
-     - { name: 'wordpress-security.conf', dir: '/etc/nginx/global/wordpress-security.conf' }
-- name: Symlink the default catch-all vhost
-  file: src=/etc/nginx/sites-available/0-catch-all dest=/etc/nginx/sites-enabled/0-catch-all state=link
-  notify:
-  - start nginx

debian/site.yml

@@ -1,29 +0,0 @@
----
-
-- name: apply common configuration to all nodes
-  hosts: all
-  user: root
-
-  roles:
-    - common
-
-- name: apply configuration to web servers (nginx)
-  hosts: webservers-nginx
-  user: root
-
-  roles:
-    - webservers-nginx
-
-- name: apply configuration to PHP app servers
-  hosts: appservers-php
-  user: root
-
-  roles:
-    - appservers-php
-
-- name: apply configuration to uwsgi app servers
-  hosts: appservers-uwsgi
-  user: root
-
-  roles:
-    - appservers-uwsgi

ubuntu/disable-rpcbind.yml

@@ -0,0 +1,7 @@
+---
+- name: Disable rpcbind service
+  hosts: cloud
+  user: root
+
+  roles:
+    - disable-rpcbind

ubuntu/dresden.silvestris.systems.yml

@@ -0,0 +1,120 @@
+---
+- hosts: dresden.silvestris.systems
+
+  roles:
+  - role: jdauphant.nginx
+    nginx_user: "www-data"
+    nginx_events_params:
+      - worker_connections 1024
+    nginx_http_params:
+      - sendfile "on"
+      - server_names_hash_bucket_size 512
+    nginx_sites:
+      donate.tenforward.social.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name donate.tenforward.social
+        - root "/srv/www/donate.tenforward.social/"
+        - location /.well-known/acme-challenge/ {
+            allow all;
+          }
+        - return 301 "https://$host$request_uri"
+      donate.tenforward.social.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name donate.tenforward.social
+        - root "/srv/www/donate.tenforward.social"
+        - index index.html
+        - access_log "/var/log/nginx/donate.tenforward.social.access.log"
+        - error_log "/var/log/nginx/donate.tenforward.social.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/donate.tenforward.social.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/donate.tenforward.social.pem"
+        - include snippets/sslstapling_hsts.conf
+      wiki.tenforward.social.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name wiki.tenforward.social
+        - return 301 "https://$host$request_uri"
+      wiki.tenforward.social.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name wiki.tenforward.social
+        - root "/srv/www/wiki.tenforward.social"
+        - index index.php
+        - access_log "/var/log/nginx/wiki.tenforward.social.access.log"
+        - error_log "/var/log/nginx/wiki.tenforward.social.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/wiki.tenforward.social.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/wiki.tenforward.social.pem"
+        - include snippets/sslstapling_hsts.conf
+        - location ~ /(data|conf|bin|inc)/ {
+            deny all;
+          }
+        - location / {
+            try_files $uri $uri/ /index.php?$args;
+          }
+        - location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+            fastcgi_pass php;
+            fastcgi_index index.php;
+          }
+    nginx_snippets:
+      sslstapling_hsts:
+        - ssl_stapling on
+        - resolver [::1] valid=300s
+        - add_header Strict-Transport-Security max-age=31536000
+      php_standard:
+        - location / {
+            try_files $uri $uri/ /index.php?$args;
+          }
+        - location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+            fastcgi_pass php;
+            fastcgi_index index.php;
+          }
+      wp_with_supercache:
+        - set $cache_uri $request_uri
+        - if ( $request_method = POST ) { set $cache_uri 'null cache'; }
+        - if ( $query_string != "" ) { set $cache_uri 'null cache'; }
+        - if ( $request_uri ~* "/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml" ) { set $cache_uri 'null cache'; }
+        - if ( $http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in" ) { set $cache_uri 'null cache'; }
+        - location / {
+            try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
+          }
+        - location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff2)$ {
+            expires max;
+          }
+        - location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_index index.php;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass php;
+          }
+    nginx_configs:
+      gzip:
+        - gzip on
+        - gzip_disable msie6
+        - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
+      upstream:
+        - upstream php { server unix:/run/php/php8.1-fpm.sock; }
+      ssl:
+        - ssl_protocols TLSv1.2 TLSv1.3
+        - ssl_prefer_server_ciphers on
+        - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
+        - ssl_dhparam "/etc/nginx/dhparams.pem"
+        - ssl_session_timeout 1d
+        - ssl_session_cache shared:SSL:50m
+        - ssl_session_tickets off
+      fcgicache:
+        - fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m
+        - fastcgi_cache_key "$scheme$request_method$host$request_uri"
+        - fastcgi_cache_use_stale error timeout invalid_header http_500
+        - fastcgi_ignore_headers Cache-Control Expires Set-Cookie
+        - add_header rt-Fastcgi-Cache $upstream_cache_status

ubuntu/erlking.silvestris.systems.yml

@@ -0,0 +1,269 @@
+---
+- hosts: erlking.silvestris.systems
+
+  roles:
+  - role: jdauphant.nginx
+    nginx_user: "www-data"
+    nginx_events_params:
+      - worker_connections 1024
+    nginx_http_params:
+      - sendfile "on"
+      - server_names_hash_bucket_size 512
+    nginx_sites:
+      nullrouted.space.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name nullrouted.space
+        - return 301 "https://$host$request_uri"
+      nullrouted.space.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name nullrouted.space
+        - root "/srv/www/nullrouted.space"
+        - index index.php index.html
+        - access_log "/var/log/nginx/nullrouted.space.access.log"
+        - error_log "/var/log/nginx/nullrouted.space.error.log"
+        - client_max_body_size 10M
+        - ssl_certificate "/etc/ssl/letsencrypt/nullrouted.space.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/nullrouted.space.pem"
+        - include snippets/sslstapling_hsts.conf
+        - include snippets/wp_with_supercache.conf
+        - include snippets/blockbots.conf
+      entropynet.net.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name entropynet.net
+        - return 301 "https://$host$request_uri"
+      entropynet.net.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name entropynet.net
+        - root "/srv/www/entropynet.net"
+        - error_page 404 /404.html
+        - index index.html
+        - access_log "/var/log/nginx/entropynet.net.access.log"
+        - error_log "/var/log/nginx/entropynet.net.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/entropynet.net.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/entropynet.net.pem"
+        - include snippets/sslstapling_hsts.conf
+        - include snippets/blockbots.conf
+      twoshadesofbrown.com.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name twoshadesofbrown.com
+        - return 301 "https://$host$request_uri"
+      twoshadesofbrown.com.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name twoshadesofbrown.com
+        - root "/srv/www/twoshadesofbrown.com"
+        - index index.php index.html
+        - access_log "/var/log/nginx/twoshadesofbrown.com.access.log"
+        - error_log "/var/log/nginx/twoshadesofbrown.com.error.log"
+        - client_max_body_size 10M
+        - ssl_certificate "/etc/ssl/letsencrypt/twoshadesofbrown.com.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/twoshadesofbrown.com.pem"
+        - include snippets/sslstapling_hsts.conf
+        - include snippets/wp_with_supercache.conf
+        - include snippets/blockbots.conf
+      wiki.packetcat.ca.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name wiki.packetcat.ca
+        - return 301 "https://$host$request_uri"
+      wiki.packetcat.ca.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name wiki.packetcat.ca
+        - root "/srv/www/wiki.packetcat.ca"
+        - index index.php
+        - access_log "/var/log/nginx/wiki.packetcat.ca.access.log"
+        - error_log "/var/log/nginx/wiki.packetcat.ca.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/wiki.packetcat.ca.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/wiki.packetcat.ca.pem"
+        - include snippets/sslstapling_hsts.conf
+        - include snippets/blockbots.conf
+        - location ~ /(data|conf|bin|inc)/ {
+            deny all;
+          }
+        - location / {
+            try_files $uri $uri/ /index.php?$args;
+          }
+        - location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+            fastcgi_pass php;
+            fastcgi_index index.php;
+          }
+      sadiqsaif.com.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name sadiqsaif.com
+        - return 301 "https://$host$request_uri"
+      sadiqsaif.com.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name sadiqsaif.com
+        - root "/srv/www/sadiqsaif.com/public"
+        - index index.html
+        - error_page 404 /404.html
+        - access_log "/var/log/nginx/sadiqsaif.com.access.log"
+        - error_log "/var/log/nginx/sadiqsaif.com.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.com.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.com.pem"
+        - include snippets/sslstapling_hsts.conf
+        - include snippets/blockbots.conf
+      sadiqsaif.ca.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name sadiqsaif.ca
+        - return 301 "https://sadiqsaif.com$request_uri"
+      sadiqsaif.ca.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name sadiqsaif.ca
+        - access_log "/var/log/nginx/sadiqsaif.ca.access.log"
+        - error_log "/var/log/nginx/sadiqsaif.ca.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.ca.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.ca.pem"
+        - return 301 "https://sadiqsaif.com$request_uri"
+      wallabag.packetcat.ca.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name wallabag.packetcat.ca
+        - return 301 "https://$host$request_uri"
+      wallabag.packetcat.ca.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name wallabag.packetcat.ca
+        - root "/srv/www/wallabag.packetcat.ca/web"
+        - index app.php
+        - access_log "/var/log/nginx/wallabag.packetcat.ca.access.log"
+        - error_log "/var/log/nginx/wallabag.packetcat.ca.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/wallabag.packetcat.ca.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/wallabag.packetcat.ca.pem"
+        - include snippets/sslstapling_hsts.conf
+        - include snippets/blockbots.conf
+        - location / {
+            try_files $uri /app.php$is_args$args;
+          }
+        - location ~ ^/app\.php(/|$) {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+            fastcgi_pass php;
+            fastcgi_index index.php;
+            internal;
+          }
+        - location ~ \.php$ {
+            return 404;
+          }
+      bastetrix.com.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name bastetrix.com
+        - root "/srv/www/bastetrix.com/public"
+        - location /.well-known/acme-challenge/ {
+            allow all;
+          }
+        - return 301 "https://$host$request_uri"
+      bastetrix.com.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name bastetrix.com
+        - root "/srv/www/bastetrix.com/public"
+        - index index.html
+        - access_log "/var/log/nginx/bastetrix.com.access.log"
+        - error_log "/var/log/nginx/bastetrix.com.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/bastetrix.com.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/bastetrix.com.pem"
+        - include snippets/sslstapling_hsts.conf
+      wiki.bastetrix.org.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name wiki.bastetrix.org
+        - root "/srv/www/wiki.bastetrix.org"
+        - location /.well-known/acme-challenge/ {
+            allow all;
+          }
+        - return 301 "https://$host$request_uri"
+      wiki.bastetrix.org.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name wiki.bastetrix.org
+        - root "/srv/www/wiki.bastetrix.org"
+        - index index.php
+        - access_log "/var/log/nginx/wiki.bastetrix.org.access.log"
+        - error_log "/var/log/nginx/wiki.bastetrix.org.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/wiki.bastetrix.org.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/wiki.bastetrix.org.pem"
+        - include snippets/sslstapling_hsts.conf
+        - location ~ /(data|conf|bin|inc)/ {
+            deny all;
+          }
+        - include snippets/php_standard.conf
+    nginx_snippets:
+      sslstapling_hsts:
+        - ssl_stapling on
+        - resolver [::1] valid=300s
+        - add_header Strict-Transport-Security max-age=31536000
+      php_standard:
+        - location / {
+            try_files $uri $uri/ /index.php?$args;
+          }
+        - location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+            fastcgi_pass php;
+            fastcgi_index index.php;
+          }
+      wp_with_supercache:
+        - set $cache_uri $request_uri
+        - if ( $request_method = POST ) { set $cache_uri 'null cache'; }
+        - if ( $query_string != "" ) { set $cache_uri 'null cache'; }
+        - if ( $request_uri ~* "/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml" ) { set $cache_uri 'null cache'; }
+        - if ( $http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in" ) { set $cache_uri 'null cache'; }
+        - location / {
+            try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
+          }
+        - location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff2)$ {
+            expires max;
+          }
+        - location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_index index.php;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_pass php;
+          }
+      blockbots:
+        - if ($http_user_agent ~* (thesis-research-bot|fidget-spinner-bot|ClaudeBot) ) {
+            return 403;
+          }
+    nginx_configs:
+      gzip:
+        - gzip on
+        - gzip_disable msie6
+        - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
+      upstream:
+        - upstream php { server unix:/run/php/php8.1-fpm.sock; }
+      ssl:
+        - ssl_protocols TLSv1.2 TLSv1.3
+        - ssl_prefer_server_ciphers on
+        - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
+        - ssl_dhparam "/etc/nginx/dhparams.pem"
+        - ssl_session_timeout 1d
+        - ssl_session_cache shared:SSL:50m
+        - ssl_session_tickets off
+      fcgicache:
+        - fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m
+        - fastcgi_cache_key "$scheme$request_method$host$request_uri"
+        - fastcgi_cache_use_stale error timeout invalid_header http_500
+        - fastcgi_ignore_headers Cache-Control Expires Set-Cookie
+        - add_header rt-Fastcgi-Cache $upstream_cache_status

ubuntu/firewall.yml

@@ -0,0 +1,7 @@
+---
+- name: Deploy firewall rules
+  hosts: firewalled
+  user: root
+
+  roles:
+    - firewall-ruleset-deploy

ubuntu/icinga-client-install.yml

@@ -0,0 +1,7 @@
+---
+- name: install Icinga 2 for client usage
+  hosts: icingaclients
+  user: root
+
+  roles:
+    - icinga-client

ubuntu/ipset.yml

@@ -0,0 +1,7 @@
+---
+- name: Deploy ipset rulesets
+  hosts: ipset
+  user: root
+
+  roles:
+    - ipset-deploy

ubuntu/molly.silvestris.systems.yml

@@ -0,0 +1,110 @@
+---
+- hosts: molly.silvestris.systems
+
+  roles:
+  - role: jdauphant.nginx
+    nginx_user: "www-data"
+    nginx_events_params:
+      - worker_connections 1024
+    nginx_http_params:
+      - sendfile "on"
+      - server_names_hash_bucket_size 512
+    nginx_sites:
+      tenforward.social.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name tenforward.social
+        - location /.well-known/acme-challenge/ {
+            allow all;
+          }
+        - return 301 "https://$host$request_uri"
+      tenforward.social.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name tenforward.social
+        - root "/home/mastodon/live/public"
+        - access_log "/var/log/nginx/tenforward.social.access.log"
+        - error_log "/var/log/nginx/tenforward.social.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/tenforward.social.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/tenforward.social.pem"
+        - add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
+        - add_header Strict-Transport-Security max-age=31536000
+        - add_header Access-Control-Allow-Origin *
+        - include snippets/blockbots.conf
+        - client_max_body_size 0
+        - location / {
+            try_files $uri @proxy;
+          }
+        - location ~ ^/(emoji|packs|system/media_attachments/files|system/accounts/avatars) {
+            add_header Cache-Control "public, max-age=31536000, immutable";
+          }
+        - location ^~ /api/v1/streaming {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Proxy "";
+            proxy_pass http://streaming;
+            proxy_buffering off;
+            proxy_redirect off;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+            tcp_nodelay on;
+          }
+        - location @proxy {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Proxy "";
+            proxy_pass_header Server;
+            proxy_pass http://backend;
+            proxy_buffering on;
+            proxy_redirect off;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_cache CACHE;
+            proxy_cache_valid 200 7d;
+            proxy_cache_valid 410 24h;
+            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+            add_header X-Cached $upstream_cache_status;
+            tcp_nodelay on;
+          }
+        - error_page 404 500 501 502 503 504 /500.html
+    nginx_configs:
+      gzip:
+        - gzip on
+        - gzip_disable msie6
+        - gzip_vary on
+        - gzip_proxied any
+        - gzip_comp_level 6
+        - gzip_buffers 16 8k
+        - gzip_http_version 1.1
+        - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
+      connectionupgrade:
+        - map $http_upgrade $connection_upgrade {
+            default upgrade;
+            ''      close;
+          }
+      proxycache:
+        - proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g
+      ssl:
+        - ssl_protocols TLSv1.2 TLSv1.3
+        - ssl_session_timeout 1d
+        - ssl_session_cache shared:SSL:50m
+        - ssl_session_tickets off
+      upstreams:
+        - upstream backend {
+            server 127.0.0.1:3000 fail_timeout=0;
+          }
+        - upstream streaming {
+            server 127.0.0.1:4000 fail_timeout=0;
+          }
+    nginx_snippets:
+      blockbots:
+        - if ($http_user_agent ~* (LanaiBotmarch|lanaibot|TinyTestBot|TinyBotTestUA|Content-Nation) ) {
+            return 403;
+          }

ubuntu/package-update.yml

@@ -0,0 +1,14 @@
+---
+- name: Update packages on cloud nodes
+  hosts: cloud
+  user: root
+
+  roles:
+    - package-update
+
+- name: Update packages on home nodes
+  hosts: home
+  user: root
+
+  roles:
+    - package-update

ubuntu/pgbackrest-install.yml

@@ -0,0 +1,7 @@
+---
+- name: Install pgbackrest
+  hosts: pgbackrest
+  user: root
+
+  roles:
+    - pgbackrest-install

ubuntu/rclone-install.yml

@@ -0,0 +1,4 @@
+---
+- hosts: rclone-hosts
+  roles:
+    - stefangweichinger.ansible_rclone

ubuntu/roles/appservers-php/files/www.conf

@@ -1,392 +0,0 @@
-; Start a new pool named 'www'.
-; the variable $pool can we used in any directive and will be replaced by the
-; pool name ('www' here)
-[www]
-
-; Per pool prefix
-; It only applies on the following directives:
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-;prefix = /path/to/pools/$pool
-
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = www-data
-group = www-data
-
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses on a
-;                            specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = 127.0.0.1:9000
-
-; Set listen(2) backlog. A value of '-1' means unlimited.
-; Default Value: 128 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = -1
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions. 
-; Default Values: user and group are set as the running user
-;                 mode is set to 0666
-;listen.owner = www-data
-;listen.group = www-data
-;listen.mode = 0666
- 
-; List of ipv4 addresses of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
-listen.allowed_clients = 127.0.0.1
-
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool processes will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; priority = -19
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives. With this process management, there will be
-;             always at least 1 children.
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-;  ondemand - no children are created at startup. Children will be forked when
-;             new requests will connect. The following parameter are used:
-;             pm.max_children           - the maximum number of children that
-;                                         can be alive at the same time.
-;             pm.process_idle_timeout   - The number of seconds after which
-;                                         an idle process will be killed.
-; Note: This value is mandatory.
-pm = dynamic
-
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI. The below defaults are based on a server without much resources. Don't
-; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
-pm.max_children = 5
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 2
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
-
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
- 
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-;pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-;   pool                 - the name of the pool;
-;   process manager      - static, dynamic or ondemand;
-;   start time           - the date and time FPM has started;
-;   start since          - number of seconds since FPM has started;
-;   accepted conn        - the number of request accepted by the pool;
-;   listen queue         - the number of request in the queue of pending
-;                          connections (see backlog in listen(2));
-;   max listen queue     - the maximum number of requests in the queue
-;                          of pending connections since FPM has started;
-;   listen queue len     - the size of the socket queue of pending connections;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes;
-;   max active processes - the maximum number of active processes since FPM
-;                          has started;
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-;   pool:                 www
-;   process manager:      static
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          62636
-;   accepted conn:        190460
-;   listen queue:         0
-;   max listen queue:     1
-;   listen queue len:     42
-;   idle processes:       4
-;   active processes:     11
-;   total processes:      15
-;   max active processes: 12
-;   max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-;   http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example: 
-;   http://www.foo.bar/status?full
-;   http://www.foo.bar/status?json&full
-;   http://www.foo.bar/status?html&full
-;   http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-;   pid                  - the PID of the process;
-;   state                - the state of the process (Idle, Running, ...);
-;   start time           - the date and time the process has started;
-;   start since          - the number of seconds since the process has started;
-;   requests             - the number of requests the process has served;
-;   request duration     - the duration in µs of the requests;
-;   request method       - the request method (GET, POST, ...);
-;   request URI          - the request URI with the query string;
-;   content length       - the content length of the request (only with POST);
-;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
-;   script               - the main script called (or '-' if not set);
-;   last request cpu     - the %cpu the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because CPU calculation is done when the request
-;                          processing has terminated;
-;   last request memory  - the max amount of memory the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because memory calculation is done when the request
-;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-;   ************************
-;   pid:                  31330
-;   state:                Running
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          63087
-;   requests:             12808
-;   request duration:     1250261
-;   request method:       GET
-;   request URI:          /test_mem.php?N=10000
-;   content length:       0
-;   user:                 -
-;   script:               /home/fat/web/docs/php/test_mem.php
-;   last request cpu:     0.00
-;   last request memory:  0
-;
-; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: ${prefix}/share/fpm/status.html
-;
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set 
-;pm.status_path = /status
- 
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;ping.path = /ping
-
-; This directive may be used to customize the response of a ping request. The
-; response is formatted as text/plain with a 200 response code.
-; Default Value: pong
-;ping.response = pong
-
-; The access log file
-; Default: not set
-;access.log = /var/log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-;  %%: the '%' character
-;  %C: %CPU used by the request
-;      it can accept the following format:
-;      - %{user}C for user CPU only
-;      - %{system}C for system CPU only
-;      - %{total}C  for user + system CPU (default)
-;  %d: time taken to serve the request
-;      it can accept the following format:
-;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
-;      - %{microseconds}d
-;      - %{micro}d
-;  %e: an environment variable (same as $_ENV or $_SERVER)
-;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
-;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-;  %f: script filename
-;  %l: content-length of the request (for POST request only)
-;  %m: request method
-;  %M: peak of memory allocated by PHP
-;      it can accept the following format:
-;      - %{bytes}M (default)
-;      - %{kilobytes}M
-;      - %{kilo}M
-;      - %{megabytes}M
-;      - %{mega}M
-;  %n: pool name
-;  %o: ouput header
-;      it must be associated with embraces to specify the name of the header:
-;      - %{Content-Type}o
-;      - %{X-Powered-By}o
-;      - %{Transfert-Encoding}o
-;      - ....
-;  %p: PID of the child that serviced the request
-;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string 
-;  %Q: the '?' character if query string exists
-;  %r: the request URI (without the query string, see %q and %Q)
-;  %R: remote IP address
-;  %s: status (response code)
-;  %t: server time the request was received
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %T: time the log has been written (the request has finished)
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
- 
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-slowlog = /var/log/$pool.log.slow
- 
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_slowlog_timeout = 0
- 
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_terminate_timeout = 0
- 
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-;rlimit_files = 1024
- 
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
- 
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever 
-;       possible. However, all PHP paths will be relative to the chroot
-;       (error_log, sessions.save_path, ...).
-; Default Value: not set
-;chroot = 
- 
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-chdir = /
- 
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-;catch_workers_output = yes
-
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; exectute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5
- 
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'. 
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-;                specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M

ubuntu/roles/appservers-php/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: start php5-fpm
-  service: name=php5-fpm state=started

ubuntu/roles/appservers-php/tasks/main.yml

@@ -1,9 +0,0 @@
----
-- name: Install php5-fpm
-  apt: pkg=php5-fpm state=latest
-- name: Stop the php5-fpm daemon for now and ensure it starts on boot
-  service: name=php5-fpm state=stopped enabled=yes
-- name: Copy over the php5-fpm www pool config
-  copy: src=www.conf dest=/etc/php5/fpm/pool.d/www.conf backup=yes
-  notify:
-  - start php5-fpm

ubuntu/roles/appservers-uwsgi/files/uwsgi.init

@@ -1,72 +0,0 @@
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides:          uwsgi
-# Required-Start:    $all
-# Required-Stop:     $all
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: starts the uwsgi app server
-# Description:       starts uwsgi app server using start-stop-daemon
-### END INIT INFO
-
-PATH=/opt/uwsgi:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/local/bin/uwsgi
-
-OWNER=uwsgi
-
-NAME=uwsgi
-DESC=uwsgi
-
-test -x $DAEMON || exit 0
-
-# Include uwsgi defaults if available
-if [ -f /etc/default/uwsgi ] ; then
-        . /etc/default/uwsgi
-fi
-
-set -e
-
-#DAEMON_OPTS="-s 127.0.0.1:9001 -M 4 -t 30 -A 4 -p 4 -d /var/log/uwsgi.log --pythonpath $PYTHONPATH --module $MODULE"
-DAEMON_OPTS="--emperor /etc/uwsgi/apps -d /var/log/uwsgi.log"
-case "$1" in
-  start)
-        echo -n "Starting $DESC: "
-        start-stop-daemon --start --chuid $OWNER:$OWNER --user $OWNER \
-                --exec $DAEMON -- $DAEMON_OPTS
-        echo "$NAME."
-        ;;
-  stop)
-        echo -n "Stopping $DESC: "
-        start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \
-                --exec $DAEMON
-        echo "$NAME."
-        ;;
-  reload)
-        killall -1 $DAEMON
-        ;;
-  force-reload)
-        killall -15 $DAEMON
-       ;;
-  restart)
-        echo -n "Restarting $DESC: "
-        start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \
-                --exec $DAEMON
-        sleep 1
-        start-stop-daemon --user $OWNER --start --quiet --chuid $OWNER:$OWNER \
-               --exec $DAEMON -- $DAEMON_OPTS
-        echo "$NAME."
-        ;;
-  status)  
-        killall -10 $DAEMON
-        ;;
-      *)  
-            N=/etc/init.d/$NAME
-            echo "Usage: $N {start|stop|restart|reload|force-reload|status}" >&2
-            exit 1
-            ;;
-    esac
-    exit 0
-
-
-

ubuntu/roles/appservers-uwsgi/files/uwsgi.logrotate

@@ -1,9 +0,0 @@
-"/var/log/uwsgi/*.log" "/var/log/uwsgi/*/*.log" {
-  copytruncate
-  daily
-  rotate 5
-  compress
-  delaycompress
-  missingok
-  notifempty
-}

ubuntu/roles/appservers-uwsgi/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: start uwsgi
-  service: name=uwsgi state=started

ubuntu/roles/appservers-uwsgi/tasks/main.yml

@@ -1,24 +0,0 @@
----
-- name: Install virtualenv
-  apt: name=python-virtualenv state=latest
-- name: Install uwsgi from PyPI
-  pip: name=uWSGI
-- name: Add uwsgi group
-  group: name=uwsgi state=present
-- name: Add uwsgi user
-  user: name=uwsgi shell=/sbin/nologin createhome=no group=uwsgi password=$6$Qu5GfWUlAPXh$Ie8Fd9Vzl.PpaFciUbRCI4sIryI6i0rDE29Vf86/WYHgPSWG7x9IIkVU.tG1Mtfq2OM9IeH2IuvOKCcnErMgC1
-- name: Copy over the uwsgi init script and logrotate config
-  copy: src={{ item.name }} dest={{ item.dir }} backup=yes
-  with_items:
-     - { name: 'uwsgi.init', dir: '/etc/init.d/uwsgi' }
-     - { name: 'uwsgi.logrotate', dir: '/etc/logrotate.d/uwsgi' }
-- name: Make sure the init script is executable
-  file: path=/etc/init.d/uwsgi owner=root group=root mode=0755
-- name: Make configuration directory
-  file: path=/etc/uwsgi/apps state=directory
-- name: Make log file with correct permissions
-  file: path=/var/log/uwsgi.log owner=uwsgi group=uwsgi mode=0750 state=touch
-- name: Make sure uwsgi starts on boot
-  service: name=uwsgi enabled=yes
-  notify:
-  - start uwsgi

ubuntu/roles/apt-maintenance/files/50unattended-upgrades

@@ -0,0 +1,91 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+//
+// Note that in Ubuntu security updates may pull in new dependencies
+// from non-security sources (e.g. chromium). By allowing the release
+// pocket these get automatically pulled in.
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	// Extended Security Maintenance; doesn't necessarily exist for
+	// every release and this system may not have it installed, but if
+	// available, the policy for updates is such that unattended-upgrades
+	// should also install from here by default.
+	"${distro_id}ESM:${distro_codename}";
+//	"${distro_id}:${distro_codename}-updates";
+//	"${distro_id}:${distro_codename}-proposed";
+//	"${distro_id}:${distro_codename}-backports";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+//	"vim";
+//	"libc6";
+//	"libc6-dev";
+//	"libc6-i686";
+};
+
+// This option will controls whether the development release of Ubuntu will be
+// upgraded automatically.
+Unattended-Upgrade::DevRelease "false";
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "false";
+
+// Install all unattended-upgrades when the machine is shutting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "s+cron@sadiqs.com";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+//Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Automatically reboot *WITHOUT CONFIRMATION*
+//  if the file /var/run/reboot-required is found after the upgrade
+//Unattended-Upgrade::Automatic-Reboot "false";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";

ubuntu/roles/apt-maintenance/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+# This task sets up unattended-upgrade's config
+
+- name: Install unattended-upgrade and apt-listchanges
+  apt: name={{ packages }} state=latest update_cache=yes
+  vars:
+    packages:
+      - unattended-upgrades
+      - apt-listchanges
+
+- name: Copy our 50unattended-upgrades
+  copy:
+    src: 50unattended-upgrades
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+
+- name: Ensure 20auto-upgrades has the correct values using debconf
+  debconf:
+    name: unattended-upgrades
+    question: unattended-upgrades/enable_auto_updates
+    vtype: boolean
+    value: true

ubuntu/roles/common/files/10periodic

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "0";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "7";

ubuntu/roles/common/files/aliases

@@ -0,0 +1,3 @@
+# See man 5 aliases for format
+postmaster:    root
+root: s+cron@sadiqs.com

ubuntu/roles/common/files/resolv.conf

@@ -1,2 +0,0 @@
-nameserver ::1
-nameserver 8.8.8.8

ubuntu/roles/common/handlers/main.yml

@@ -3,4 +3,5 @@
   service: name=rsyslog state=restarted
 - name: restart cron
   service: name=cron state=restarted
-
+- name: newaliases
+  shell: newaliases

ubuntu/roles/common/tasks/main.yml

@@ -1,8 +1,12 @@
 ---
 # This playbook contains common plays that will be run all nodes.
 
-- name: Install python-apt, aptitude, and debconf-utils
+- name: Install python-apt, aptitude, and debconf-utils (20.04)
   shell: apt-get update && apt-get -y install python-apt aptitude debconf-utils
+  when: ansible_distribution_release == 'focal'
+- name: Install python-apt, aptitude, and debconf-utils (22.04)
+  shell: apt-get update && apt-get -y install python3-apt aptitude debconf-utils
+  when: ansible_distribution_release == 'jammy'
 - name: Do any package upgrades
   apt: upgrade=dist
 - name: Set default locale to en_US.UTF-8
@@ -16,44 +20,59 @@
   notify:
   - restart rsyslog
   - restart cron
+- name: Set hostname
+  hostname:
+    name: "{{ inventory_hostname }}"
+    use: systemd
+- name: Remove packages we do not need
+  apt:
+    name: "{{ packages }}"
+    state: absent
+  vars:
+    packages:
+    - exim4-daemon-light
+    - consolekit
+    - snapd
+    - lxcfs
+    - rpcbind
+    - ufw
 - name: Install required packages
-  apt: pkg={{ item }} state=latest
-  with_items:
-     - most
-     - zsh
-     - vim
-     - vim-scripts
-     - git
-     - subversion
-     - tmux
-     - multitail
-     - mtr-tiny
-     - curl
-     - dnsutils
-     - sudo
-     - gnupg
-     - traceroute
-     - htop
-     - haveged
-     - python-pip
-     - unbound
-     - duplicity
-     - python-boto
-     - build-essential
-     - vnstat
-     - python-dev
-     - ntp
-- name: Remove exim4 and consolekit
-  apt: pkg={{ item }} state=absent
-  with_items:
-     - exim4-daemon-light
-     - consolekit
-- name: Ensure haveged, unbound, ntp, and vnstat are started on boot
+  apt:
+    name: "{{ packages }}"
+    state: latest
+  vars:
+    packages:
+    - most
+    - vim
+    - vim-scripts
+    - git
+    - tmux
+    - multitail
+    - mtr-tiny
+    - curl
+    - dnsutils
+    - sudo
+    - gnupg
+    - traceroute
+    - htop
+    - haveged
+    - build-essential
+    - vnstat
+    - chrony
+    - unattended-upgrades
+    - mailutils
+    - postfix
+    - python-is-python3
+    - net-tools
+- name: Ensure haveged, ntp, and vnstat are started on boot
   service: name={{ item }} enabled=yes
   with_items:
      - haveged
-     - unbound
      - vnstat
-     - ntp
-- name: use local unbound instance for DNS and Google Public DNS as backup
-  copy: src=resolv.conf dest=/etc/resolv.conf
+     - chrony
+- name: Ensure that the periodic APT cron task clears out old kernels and does unattended security upgrades
+  copy: src=10periodic dest=/etc/apt/apt.conf.d/10periodic backup=yes owner=root group=root mode=0644
+- name: Copy over our aliases file
+  copy: src=aliases dest=/etc/aliases
+  notify:
+    - newaliases

ubuntu/roles/disable-rpcbind/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+# This role disables the rpcbind service on hosts
+
+- name: Disable and mask the rpcbind service
+  systemd:
+    name: rpcbind.service
+    enabled: false
+    state: stopped
+    masked: true
+
+- name: Disable and mask the rpcbind socket
+  systemd:
+    name: rpcbind.socket
+    enabled: false
+    state: stopped
+    masked: true
+
+- name: Disable and mask the rpcbind target
+  systemd:
+    name: rpcbind.target
+    enabled: false
+    state: stopped
+    masked: true

ubuntu/roles/firewall-ruleset-deploy/files/demonreach.silvestris.systems.rules.v4

@@ -0,0 +1,28 @@
+*filter
+:INPUT DROP
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type ping -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+-A INPUT -p tcp --dport 9001 -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 5269,5222 -j ACCEPT
+-A INPUT -p udp --dport 1194 -j ACCEPT
+-A INPUT -p udp --dport 53 -s 10.8.0.1/24 -j ACCEPT
+-A INPUT -p tcp --dport 53 -s 10.8.0.1/24 -j ACCEPT
+-A INPUT -p udp --dport 53 -s 10.66.66.0/24 -j ACCEPT
+-A INPUT -p tcp --dport 53 -s 10.66.66.0/24 -j ACCEPT
+-A INPUT -p udp --dport 53 -s 100.64.0.0/10 -j ACCEPT
+-A INPUT -p tcp --dport 53 -s 100.64.0.0/10 -j ACCEPT
+-A INPUT -p udp --dport 51802 -j ACCEPT
+COMMIT
+*nat
+:PREROUTING ACCEPT
+:INPUT ACCEPT
+:OUTPUT ACCEPT
+:POSTROUTING ACCEPT
+-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+-A POSTROUTING -s 10.66.66.0/24 -o eth0 -j MASQUERADE
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/demonreach.silvestris.systems.rules.v6

@@ -0,0 +1,32 @@
+*filter
+:INPUT DROP
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+:icmp_in -
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+-A INPUT -p tcp --dport 9001 -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 5269,5222 -j ACCEPT
+-A INPUT -p udp -s 2620:98:4002::/48 --dport 53 -j ACCEPT
+-A INPUT -p tcp -s 2620:98:4002::/48 --dport 53 -j ACCEPT
+-A INPUT -p udp -s fd7a:115c:a1e0:ab12:4843:cd96:6241:b43c/128 --dport 53 -j ACCEPT
+-A INPUT -p tcp -s fd7a:115c:a1e0:ab12:4843:cd96:6241:b43c/128 --dport 53 -j ACCEPT
+-A INPUT -p ipv6-icmp -j icmp_in
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
+COMMIT
+*nat
+:PREROUTING ACCEPT
+:INPUT ACCEPT
+:OUTPUT ACCEPT
+:POSTROUTING ACCEPT
+-A POSTROUTING -s fd42:42:42::/64 -o eth0 -j MASQUERADE
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/erlking.silvestris.systems.rules.v4

@@ -0,0 +1,12 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -m set --match-set nasties src -j DROP
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type ping -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/erlking.silvestris.systems.rules.v6

@@ -0,0 +1,20 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+:icmp_in -
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+-A INPUT -p ipv6-icmp -j icmp_in
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/gard.silvestris.systems.rules.v4

@@ -0,0 +1,10 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type ping -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/gard.silvestris.systems.rules.v6

@@ -0,0 +1,19 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+:icmp_in -
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+-A INPUT -p ipv6-icmp -j icmp_in
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/molly.silvestris.systems.rules.v4

@@ -0,0 +1,24 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT DROP
+-A INPUT -m set --match-set nasties src -j DROP
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5665 -j ACCEPT
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+-A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
+-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 5665 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
+-A OUTPUT -p udp -m multiport --dports 67,68 -j ACCEPT
+-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/molly.silvestris.systems.rules.v6

@@ -0,0 +1,31 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT DROP
+:icmp_in -
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5665 -j ACCEPT
+-A INPUT -p ipv6-icmp -j icmp_in
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
+-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
+-A OUTPUT -p ipv6-icmp -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 5665 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
+-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/netfilter-persistent

@@ -0,0 +1,4 @@
+# Configuration for netfilter-persistent
+# Plugins may extend this file or have their own
+
+FLUSH_ON_STOP=0

ubuntu/roles/firewall-ruleset-deploy/files/uriel.silvestris.systems.rules.v4

@@ -0,0 +1,12 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type ping -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+-A INPUT -p tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp --dport 443 -j ACCEPT
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/files/uriel.silvestris.systems.rules.v6

@@ -0,0 +1,21 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+:icmp_in -
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+-A INPUT -p tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp --dport 443 -j ACCEPT
+-A INPUT -p ipv6-icmp -j icmp_in
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
+COMMIT

ubuntu/roles/firewall-ruleset-deploy/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: restart netfilter-persistent-v4
+  service:
+    name: netfilter-persistent
+    state: restarted
+    enabled: yes
+
+- name: restart netfilter-persistent-v6
+  service:
+    name: netfilter-persistent
+    state: restarted
+    enabled: yes

ubuntu/roles/firewall-ruleset-deploy/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+# This role deploys firewall rulesets to Ubuntu hosts
+
+- name: Make sure iptables and netfilter-persistent are installed
+  apt:
+    name: "{{ packages }}"
+    state: latest
+  vars:
+    packages:
+    - iptables-persistent
+    - netfilter-persistent
+    - ipset
+
+- name: Copy defaults file with our mods
+  copy:
+    src: netfilter-persistent
+    dest: /etc/default/netfilter-persistent
+
+- name: Copy IPv4 ruleset
+  copy:
+    src: "{{ ansible_fqdn }}.rules.v4"
+    dest: /etc/iptables/rules.v4
+  notify:
+    - restart netfilter-persistent-v4
+
+- name: Copy IPv6 ruleset
+  copy:
+    src: "{{ ansible_fqdn }}.rules.v6"
+    dest: /etc/iptables/rules.v6
+  notify:
+    - restart netfilter-persistent-v6

ubuntu/roles/icinga-client/files/restart.conf

@@ -0,0 +1,2 @@
+[Service]
+Restart=on-failure

ubuntu/roles/icinga-client/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+# This role installs Icinga 2 and the plugins required on a Icinga client nodes
+
+- name: Add Icinga package repository key
+  apt_key: url="https://packages.icinga.com/icinga.key" state=present
+- name: Add Icinga apt repository
+  apt_repository: repo="deb https://packages.icinga.com/ubuntu icinga-{{ ansible_distribution_release }} main" state=present
+- name: Update apt cache and install Icinga packages
+  apt: name={{ packages }} state=latest update_cache=yes
+  vars:
+    packages:
+      - icinga2
+      - monitoring-plugins
+- name: Ensure icinga2 systemd folder exists
+  file:
+    path: /etc/systemd/system/icinga2.service.d/
+    state: directory
+- name: Copy custom icinga2 systemd service file modifications
+  copy:
+    src: restart.conf
+    dest: /etc/systemd/system/icinga2.service.d/restart.conf
+- name: Ensure that icinga2 systemd service is enabled
+  systemd:
+    name: icinga2
+    enabled: yes
+    daemon_reload: yes

ubuntu/roles/ipset-deploy/files/erlking.silvestris.systems.ipset

@@ -0,0 +1,31 @@
+create nasties hash:net family inet hashsize 1024 maxelem 65536
+# domaincrawler.com aggressive crawler/bot
+add nasties 185.6.8.3/32
+add nasties 185.6.8.7/32
+# Seekport Crawler, aggressive
+add nasties 95.216.172.167/32
+# SearchAtlas.com SEO Crawler, doesn't respect robots.txt
+add nasties 147.75.106.146/32
+# moz.com SEO crawler
+add nasties 216.244.66.229/32
+# Aspiegel (Huawei) bot range
+add nasties 114.119.160.0/21
+add nasties 114.119.128.0/19
+# Centurybot
+add nasties 64.62.202.73/32
+# Adsbot
+add nasties 216.18.204.0/24
+add nasties 173.231.59.0/24
+# Unknown crawler, no user agent, doesn't actually respect robots.txt
+add nasties 217.160.142.105/32
+# MegaIndex.ru Crawler
+add nasties 176.9.41.28/32
+# AS206728 Media Land LLC, seems to be botnet IPs
+add nasties 45.141.84.0/24
+add nasties 45.141.85.0/24
+add nasties 45.141.86.0/24
+add nasties 45.141.87.0/24
+add nasties 91.220.163.0/24
+add nasties 193.242.153.0/24
+add nasties 194.26.29.0/24
+add nasties 194.113.209.0/24

ubuntu/roles/ipset-deploy/files/ipset.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Loading IP Sets
+Before=network.target
+Before=netfilter-persistent.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/ipset -! -f /etc/ipset.conf restore
+ExecReload=/sbin/ipset -! -f /etc/ipset.conf restore
+ExecStop=/sbin/ipset flush
+
+[Install]
+WantedBy=multi-user.target
+RequiredBy=netfilter-persistent.service

ubuntu/roles/ipset-deploy/files/molly.silvestris.systems.ipset

@@ -0,0 +1,49 @@
+create nasties hash:net family inet hashsize 1024 maxelem 65536
+# Scrapy bot from University of Milan
+add nasties 159.149.133.66/32
+# domaincrawler.com aggressive crawler/bot
+add nasties 185.6.8.3/32
+add nasties 185.6.8.7/32
+# infegy data collection
+add nasties 173.244.135.0/25
+# 1776 Solutions, kiwifarms
+add nasties 103.114.191.0/24
+# Bytespider crawler, aggressive
+add nasties 110.240.0.0/12
+add nasties 111.224.0.0/14
+add nasties 220.243.128.0/20
+# Seekport Crawler, aggressive
+add nasties 95.216.172.167/32
+# SearchAtlas.com SEO Crawler, doesn't respect robots.txt
+add nasties 147.75.106.146/32
+# AlkonavtNetwork, Russian spam account creation source
+add nasties 5.188.210.0/24
+# moz.com SEO crawler
+add nasties 216.244.66.229/32
+# Aspiegel (Huawei) bot range
+add nasties 114.119.160.0/21
+add nasties 114.119.128.0/19
+# Centurybot
+add nasties 64.62.202.73/32
+# search.noc.social
+add nasties 149.248.4.242/32
+# Adsbot
+add nasties 216.18.204.0/24
+add nasties 173.231.59.0/24
+# Unknown crawler, no user agent, doesn't actually respect robots.txt
+add nasties 217.160.142.105/32
+# MegaIndex.ru Crawler
+add nasties 176.9.41.28/32
+# Unknown crawler, ignores robots.txt
+add nasties 101.200.169.64/32
+# AS206728 Media Land LLC, seems to be botnet IPs
+add nasties 45.141.84.0/24
+add nasties 45.141.85.0/24
+add nasties 45.141.86.0/24
+add nasties 45.141.87.0/24
+add nasties 91.220.163.0/24
+add nasties 193.242.153.0/24
+add nasties 194.26.29.0/24
+add nasties 194.113.209.0/24
+# webmeup crawler, doesn't respect robots.txt
+add nasties 157.90.177.214/32

ubuntu/roles/ipset-deploy/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: yes

ubuntu/roles/ipset-deploy/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+# This role deploys ipset rulesets to Ubuntu hosts
+
+- name: Copy ipset.service
+  copy:
+    src: ipset.service
+    dest: /etc/systemd/system/ipset.service
+
+- name: Enable ipset.service
+  systemd:
+    name: ipset
+    enabled: yes
+    daemon_reload: yes
+
+- name: Copy ipset rulesets
+  copy:
+    src: "{{ ansible_fqdn }}.ipset"
+    dest: /etc/ipset.conf
+
+- name: Restart ipset service
+  systemd:
+    name: ipset
+    state: restarted

ubuntu/roles/mysql/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Install MySQL server
+  apt: pkg=mysql-server state=latest
+- name: Start MySQL daemon and ensure it starts on boot
+  service: name=mysql state=started enabled=yes

ubuntu/roles/package-update/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+# This role updates packages and performs autoremove
+
+- name: Update apt cache and then packages with autoremove
+  apt: update_cache=yes upgrade=safe autoremove=yes

ubuntu/roles/pgbackrest-install/files/pgbackrest

@@ -0,0 +1,9 @@
+/var/log/pgbackrest/*.log {
+        daily
+        missingok
+        rotate 7
+        compress
+        delaycompress
+        notifempty
+        create 640 postgres postgres
+}

ubuntu/roles/pgbackrest-install/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+# This task installs pgbackrest on a host
+
+- name: Copy pgbackrest binary to host
+  copy:
+    src: /builds/pgbackrest-release-2.44/src/pgbackrest
+    dest: /usr/bin/pgbackrest
+    mode: '0755'
+
+- name: Make sure Perl is installed
+  apt:
+    name: perl
+    state: latest
+
+- name: Make pgbackrest log directory with the correct permissions
+  file:
+    path: /var/log/pgbackrest
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: '0770'
+
+- name: Make pgbackrest config directory
+  file:
+    path: /etc/pgbackrest/conf.d
+    state: directory
+
+- name: Touch pgbackrest.conf
+  file:
+    path: /etc/pgbackrest/pgbackrest.conf
+    state: touch
+    owner: postgres
+    group: postgres
+    mode: '0640'
+
+- name: Copy pgbackrest logrotate configuration
+  copy:
+    src: pgbackrest
+    dest: /etc/logrotate.d/pgbackrest

ubuntu/roles/php/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Install PHP libraries
+  apt: pkg={{ item }} state=latest
+  with_items:
+     - php-mysql
+     - php-xml
+     - php-gd
+
+- name: Install php-fpm
+  apt: pkg=php-fpm state=latest
+- name: Start PHP-FPM daemon, and make sure it is started on boot
+  when: ansible_distribution_release == 'xenial'
+  service: name=php7.0-fpm state=started enabled=yes
+- name: Start PHP-FPM daemon, and make sure it is started on boot
+  when: ansible_distribution_release == 'bionic'
+  service: name=php7.2-fpm state=started enabled=yes

ubuntu/roles/ssh-enforcement/files/authorized_keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2DmG7640FmD9QDLDrydiU5kmhJM/ScKOhhHPYndWEdFGMmfnJpqyoPOq5a6cDwLAFyl6ALTjVr6+y4U2hqHmqIs/ds9SeiNzOnPsMUp1DkuVoNyH4WekaA9oXgsb9ZCjHSXB+W3rOgvGYTAuC8GyLYGppInrd6+OKoyZtgx01JYAatfSWGncerNw+x8LiQaF+o62cCDq+3OpyZBbGpLg/wNMtg/Wsaton7fwo2hi8lOkQjzJZPUvPaOcpezK9SLXExyUl+oIcMmGqmExHpXwhA8+TuwbeM5XXT5RJCOw4c2WlMTb93FmdCjtXtInUYc/M80SftdLPokmbzc7uWDV+PX5XVoQCp7JiYS92gkAdlv8aeNMzpbGvd9uUjGKm08dh1aT76I9b9O4sA+vL2PwW2lKdsesksiseF92446kqvOEumB/wh+7yd1N9yOS3Vggasl2iEYgbNiDoCqyXnH6GSHkdxr9CwAyuWy5vmqR5zdV1UsQnRzECrQIFbJpFU98rLfuRM1L9qN4kqxuciv+DAPRm17WAhrjhoZL5xh5+t8TfaO+7qMmjvNO1oRbeTkM0JqdlvcvTUFB7sxDIPuCySIMfi2KTTUpk0i9HHRfJrOr1K02VvwKC302GkFnVEDYKPlXivoI6i1bLaubSZHqDIgUuZeGLTXhG47ner6dMKw== Network Management

ubuntu/roles/ssh-enforcement/files/sshd_config

@@ -0,0 +1,26 @@
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# Password based logins are disabled - only public key based logins are allowed.
+AuthenticationMethods publickey
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+
+# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
+Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Some of the Debian specific options sans X11 Forwarding
+# X11 Forwarding is turned off because we don't run X11 on servers
+ChallengeResponseAuthentication no
+PrintMotd no
+AcceptEnv LANG LC_*
+UsePAM yes

ubuntu/roles/ssh-enforcement/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart sshd
+  service:
+    name: ssh
+    state: restarted
+    enabled: yes

ubuntu/roles/ssh-enforcement/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+# This task enforces our OpenSSH server config and authorized_keys for
+# cloud servers
+
+- name: Copy our authorized_keys
+  copy:
+    src: authorized_keys
+    dest: /root/.ssh/authorized_keys
+
+- name: Copy our sshd_config
+  copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config
+  notify:
+    - restart sshd

ubuntu/roles/turn-off-motd-news/files/motd-news

@@ -0,0 +1,19 @@
+# Enable/disable the dynamic MOTD news service
+# This is a useful way to provide dynamic, informative
+# information pertinent to the users and administrators
+# of the local system
+ENABLED=0
+
+# Configure the source of dynamic MOTD news
+# White space separated list of 0 to many news services
+# For security reasons, these must be https
+# and have a valid certificate
+# Canonical runs a service at motd.ubuntu.com, and you
+# can easily run one too
+URLS="https://motd.ubuntu.com"
+
+# Specify the time in seconds, you're willing to wait for
+# dynamic MOTD news
+# Note that news messages are fetched in the background by
+# a systemd timer, so this should never block boot or login
+WAIT=5

ubuntu/roles/turn-off-motd-news/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+# This role turns off the MOTD news in Ubuntu 18.04
+
+- name: Copy motd-news file
+  when: ansible_distribution_release == 'bionic' or ansible_distribution_release == 'focal'
+  copy:
+    src: motd-news
+    dest: /etc/default/motd-news
+    owner: root
+    group: root
+    mode: 0644
+    backup: yes

ubuntu/roles/webservers-nginx/files/0-catch-all

@@ -1,12 +0,0 @@
-# This file is a nginx catch-all vhost, probably put here in an automated
-# fashion.
-server {
-    listen 80;
-    listen [::]:80 ipv6only=on;
-    server_name _; # This is just an invalid value which will never trigger on a real hostname.
-    access_log /var/log/nginx/default.access.log;
-    index index.html;
-    server_name_in_redirect off;
-    root  /srv/www/catch-all;
-}
-

ubuntu/roles/webservers-nginx/files/cloudflare.conf

@@ -1,11 +0,0 @@
-# Cloudflare
-set_real_ip_from   204.93.240.0/24;
-set_real_ip_from   204.93.177.0/24;
-set_real_ip_from   199.27.128.0/21;
-set_real_ip_from   173.245.48.0/20;
-set_real_ip_from   103.22.200.0/22;
-set_real_ip_from   141.101.64.0/18;
-set_real_ip_from   108.162.192.0/18;
-set_real_ip_from   190.93.240.0/20;
-real_ip_header     CF-Connecting-IP;
-

ubuntu/roles/webservers-nginx/files/nginx.conf

@@ -1,63 +0,0 @@
-user www-data;
-worker_processes auto;
-pid /var/run/nginx.pid;
-
-events {
-	worker_connections 768;
-	# multi_accept on;
-}
-
-http {
-	##
-	# Basic Settings
-	##
-    sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 70;
-	types_hash_max_size 2048;
-	server_tokens off;
-    ssl_session_cache  shared:SSL:10m;
-    ssl_session_timeout 10m;
-	# server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-	##
-	# Gzip Settings
-	##
-
-	gzip on;
-	gzip_disable "msie6";
-
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-	##
-	# Virtual Host Configs
-	##
-
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
-
-	# Upstream to abstract backend connection(s) for PHP.
-	upstream php {
-#		server unix:/tmp/php-fpm.sock;
-		server 127.0.0.1:9000;
-	}
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-}

ubuntu/roles/webservers-nginx/files/php-generic.conf

@@ -1,14 +0,0 @@
-index index.php index.html index.htm;
-location / {
-    try_files $uri $uri/ /index.php?$args;
-}
-
-location ~ \.php$ {
-    try_files $uri =404;
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    include fastcgi_params;
-    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-    fastcgi_pass php;
-    fastcgi_index index.php;
-}
-

ubuntu/roles/webservers-nginx/files/security-generic.conf

@@ -1,23 +0,0 @@
-location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-}
-
-location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-}
-
-# Directives to send expires headers and turn off 404 error logging.
-location ~* \.(js|css|png|jpg|jpeg|gif|ico|html)$ {
-        expires 24h;
-}
-
-# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
-location ~ /\. {
-        deny all;
-        access_log off;
-        log_not_found off;
-}
-

ubuntu/roles/webservers-nginx/files/wordpress-generic.conf

@@ -1,39 +0,0 @@
-# WordPress single blog rules.
-# Designed to be included in any server {} block.
-
-# This order might seem weird - this is attempted to match last if rules below fail.
-# http://wiki.nginx.org/HttpCoreModule
-location / {
-        try_files $uri $uri/ /index.php?$args;
-}
-
-# Add trailing slash to */wp-admin requests.
-rewrite /wp-admin$ $scheme://$host$uri/ permanent;
-
-# Directives to send expires headers and turn off 404 error logging.
-location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-        expires 24h;
-}
-
-# Uncomment one of the lines below for the appropriate caching plugin (if used).
-#include global/wordpress-supercache.conf;
-#include global/wordpress-w3cache.conf;
-
-# Pass all .php files onto a php-fpm/php-fcgi server.
-location ~ \.php$ {
-        # Zero-day exploit defense.
-        # http://forum.nginx.org/read.php?2,88845,page=3
-        # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
-        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine.  And then cross your fingers that you won't get hacked.
-        try_files $uri =404;
-
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
-
-        include fastcgi_params;
-        fastcgi_index index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-#       fastcgi_intercept_errors on;
-        fastcgi_pass php;
-}
-

ubuntu/roles/webservers-nginx/files/wordpress-security.conf

@@ -1,34 +0,0 @@
-# Global restrictions configuration file.
-# Designed to be included in any server {} block.</p>
-location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-}
-
-location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-}
-
-# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
-location ~ /\. {
-        deny all;
-        access_log off;
-        log_not_found off;
-}
-
-# Deny access to any files with a .php extension in the uploads directory
-location ~* ^/wp-content/uploads/.*.php$ {
-        deny all;
-        access_log off;
-        log_not_found off;
-}
-
-# Deny access to any files with a .php extension in the uploads directory for multisite
-location ~* /files/(.*).php$ {
-        deny all;
-        access_log off;
-        log_not_found off;
-}
-

ubuntu/roles/webservers-nginx/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: start nginx
-  service: name=nginx state=started

ubuntu/roles/webservers-nginx/tasks/main.yml

@@ -1,31 +0,0 @@
----
-- name: Install nginx package
-  apt: pkg=nginx state=latest
-- name: Stop nginx for now and also make it start on boot
-  service: name=nginx state=stopped enabled=yes
-- name: Make nginx related dirs
-  file: path={{ item }} state=directory
-  with_items:
-     - /etc/nginx/global
-     - /etc/nginx/sites-available
-     - /etc/nginx/sites-enabled
-     - /srv/www/catch-all
-- name: Clean out default vhost file in enabled and available dirs
-  file: path={{ item }} state=absent
-  with_items:
-     - /etc/nginx/sites-enabled/default
-     - /etc/nginx/sites-available/default
-- name: Copy over all nginx configuration files
-  copy: src={{ item.name }}  dest={{ item.dir }}
-  with_items:
-     - { name: 'nginx.conf', dir: '/etc/nginx/nginx.conf' }
-     - { name: '0-catch-all', dir: '/etc/nginx/sites-available/0-catch-all' }
-     - { name: 'cloudflare.conf', dir: '/etc/nginx/global/cloudflare.conf' }
-     - { name: 'php-generic.conf', dir: '/etc/nginx/global/php-generic.conf' }
-     - { name: 'security-generic.conf', dir: '/etc/nginx/global/security-generic.conf' }
-     - { name: 'wordpress-generic.conf', dir: '/etc/nginx/global/wordpress-generic.conf' }
-     - { name: 'wordpress-security.conf', dir: '/etc/nginx/global/wordpress-security.conf' }
-- name: Symlink the default catch-all vhost
-  file: src=/etc/nginx/sites-available/0-catch-all dest=/etc/nginx/sites-enabled/0-catch-all state=link
-  notify:
-  - start nginx

ubuntu/sanya.silvestris.systems.yml

@@ -0,0 +1,47 @@
+---
+- hosts: sanya.silvestris.systems
+
+  roles:
+  - role: jdauphant.nginx
+    nginx_user: "www-data"
+    nginx_events_params:
+      - worker_connections 1024
+    nginx_http_params:
+      - sendfile "on"
+      - server_names_hash_bucket_size 512
+    nginx_sites:
+      git.packetcat.ca.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name git.packetcat.ca
+        - return 301 "https://$host$request_uri"
+      git.packetcat.ca.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name git.packetcat.ca
+        - access_log "/var/log/nginx/git.packetcat.ca.access.log"
+        - error_log "/var/log/nginx/git.packetcat.ca.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/git.packetcat.ca.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/git.packetcat.ca.pem"
+        - ssl_stapling on
+        - resolver [::1] valid=300s
+        - add_header Strict-Transport-Security max-age=31536000
+        - location / {
+            proxy_pass http://127.0.0.1:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          }
+    nginx_configs:
+      gzip:
+        - gzip on
+        - gzip_disable msie6
+        - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
+      ssl:
+        - ssl_protocols TLSv1.2 TLSv1.3
+        - ssl_prefer_server_ciphers on
+        - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
+        - ssl_session_timeout 1d
+        - ssl_session_cache shared:SSL:50m
+        - ssl_session_tickets off

ubuntu/site.yml

@@ -1,29 +1,12 @@
 ---
 
 - name: apply common configuration to all nodes
-  hosts: all
+  hosts: unsetup
   user: root
 
   roles:
     - common
-
-- name: apply configuration to web servers (nginx)
-  hosts: webservers-nginx
-  user: root
-
-  roles:
-    - webservers-nginx
-
-- name: apply configuration to PHP app servers
-  hosts: appservers-php
-  user: root
-
-  roles:
-    - appservers-php
-
-- name: apply configuration to uwsgi app servers
-  hosts: appservers-uwsgi
-  user: root
-
-  roles:
-    - appservers-uwsgi
+    - turn-off-motd-news
+    - apt-maintenance
+    - ssh-enforcement
+    - disable-rpcbind

ubuntu/ssh-enforcement.yml

@@ -0,0 +1,7 @@
+---
+- name: SSH Enforcement
+  hosts: cloud
+  user: root
+
+  roles:
+    - ssh-enforcement